On 01/21/2014 06:50 PM, Joseph S. Myers wrote:
On Tue, 21 Jan 2014, Prathamesh Kulkarni wrote:Souce of these warnings are typically calls to error() and friends. In C and C++ front ends there are many calls of error (errmsg). errmsg is in many cases, assigned the return value of targetm hooks (tagetm.invalid_return_type(), etc.) Is it correct to replace error (errmsg) by error ("%s", errmsg) in these cases ?No. Typically the message returned by the hook may contain no-arguments format specifiers such as %< and %>. Instead, to avoid such warnings you need to add a new function error_at_no_args (location, message) that accepts and processes only formats taking no arguments (and probably aborts if given a format that needs arguments).
And printf format strings also can contain %% an %m (the latter is a GNU extension). That's why we cannot perform the arg -> "%s", arg transformation unconditionally in the compiler, rendering -Wformat-security pointless. Which is a bit disappointing.
-- Florian Weimer / Red Hat Product Security Team
